security-mcp 1.1.0 → 1.1.2

package/defaults/agent-run-schema.json

@@ -0,0 +1,98 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "$id": "https://github.com/AbrahamOO/security-mcp/blob/main/defaults/agent-run-schema.json",
+  "title": "AgentRunManifest",
+  "description": "Schema for .mcp/agent-runs/{agentRunId}/manifest.json — the coordination state for a multi-agent security run.",
+  "type": "object",
+  "required": ["agentRunId", "runId", "createdAt", "updatedAt", "phase", "internetPermitted", "stackContext", "scope", "agents"],
+  "additionalProperties": false,
+  "properties": {
+    "agentRunId": {
+      "type": "string",
+      "minLength": 32,
+      "maxLength": 32,
+      "description": "32-character hex identifier for this agent run."
+    },
+    "runId": {
+      "type": "string",
+      "format": "uuid",
+      "description": "UUID of the parent review run from security.start_review."
+    },
+    "createdAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "updatedAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "phase": {
+      "type": "integer",
+      "enum": [0, 1, 2, 3],
+      "description": "Current execution phase: 0=init, 1=parallel discovery, 2=adversarial+compliance, 3=synthesis."
+    },
+    "internetPermitted": {
+      "type": "boolean",
+      "description": "Whether the user permitted internet access for this run."
+    },
+    "stackContext": {
+      "type": "object",
+      "required": ["languages", "frameworks", "databases", "cloudProvider", "paymentProcessor", "hasAI", "hasMobile", "hasPII", "hasPayments", "packageManagers", "ciPlatform"],
+      "additionalProperties": false,
+      "properties": {
+        "languages":       { "type": "array", "items": { "type": "string" } },
+        "frameworks":      { "type": "array", "items": { "type": "string" } },
+        "databases":       { "type": "array", "items": { "type": "string" } },
+        "cloudProvider":   { "type": "array", "items": { "type": "string" } },
+        "paymentProcessor":{ "type": "array", "items": { "type": "string" } },
+        "hasAI":           { "type": "boolean" },
+        "hasMobile":       { "type": "boolean" },
+        "hasPII":          { "type": "boolean" },
+        "hasPayments":     { "type": "boolean" },
+        "packageManagers": { "type": "array", "items": { "type": "string" } },
+        "ciPlatform":      { "type": "array", "items": { "type": "string" } }
+      }
+    },
+    "scope": {
+      "type": "object",
+      "required": ["mode", "targets", "baseRef", "headRef"],
+      "additionalProperties": false,
+      "properties": {
+        "mode": {
+          "type": "string",
+          "enum": ["recent_changes", "folder_by_folder", "file_by_file"]
+        },
+        "targets": {
+          "type": "array",
+          "items": { "type": "string" }
+        },
+        "baseRef": { "type": "string" },
+        "headRef": { "type": "string" }
+      }
+    },
+    "agents": {
+      "type": "object",
+      "description": "Map of agent name to its lifecycle record.",
+      "additionalProperties": {
+        "$ref": "#/$defs/AgentRecord"
+      }
+    }
+  },
+  "$defs": {
+    "AgentRecord": {
+      "type": "object",
+      "required": ["status", "startedAt", "completedAt", "findingsPath", "summary"],
+      "additionalProperties": false,
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": ["pending", "running", "completed", "completed_partial", "failed"]
+        },
+        "startedAt":    { "type": ["string", "null"], "format": "date-time" },
+        "completedAt":  { "type": ["string", "null"], "format": "date-time" },
+        "findingsPath": { "type": ["string", "null"] },
+        "summary":      { "type": ["string", "null"] }
+      }
+    }
+  }
+}

package/dist/ci/pr-gate.js

@@ -1,6 +1,8 @@
 import { runPrGate } from "../gate/policy.js";
 // Allow safe git revision operators (~ and ^) plus ref/path characters. CWE-88.
 const SAFE_REF_RE = /^[a-zA-Z0-9_./~^-]+$/;
+// Allow relative file/folder paths for targets. CWE-88.
+const SAFE_TARGET_RE = /^[a-zA-Z0-9_./ -]+$/;
 function safeEnvRef(envVar, defaultValue) {
     const val = process.env[envVar] || defaultValue;
     if (!SAFE_REF_RE.test(val)) {
@@ -9,11 +11,26 @@ function safeEnvRef(envVar, defaultValue) {
     }
     return val;
 }
+function safeEnvTargets(envVar) {
+    const raw = process.env[envVar];
+    if (!raw)
+        return undefined;
+    const targets = raw.split(",").map((t) => t.trim()).filter(Boolean);
+    return targets.filter((t) => {
+        if (!SAFE_TARGET_RE.test(t) || t.includes("..")) {
+            console.error(`Skipping unsafe target: "${t}"`);
+            return false;
+        }
+        return true;
+    });
+}
 async function main() {
     const baseRef = safeEnvRef("SECURITY_GATE_BASE_REF", "origin/main");
     const headRef = safeEnvRef("SECURITY_GATE_HEAD_REF", "HEAD");
     const policyPath = process.env.SECURITY_GATE_POLICY || ".mcp/policies/security-policy.json";
-    const result = await runPrGate({ baseRef, headRef, policyPath });
+    const mode = (process.env.SECURITY_GATE_MODE ?? "recent_changes");
+    const targets = safeEnvTargets("SECURITY_GATE_TARGETS");
+    const result = await runPrGate({ baseRef, headRef, policyPath, mode, targets });
     // Print result for Actions logs
     console.log(JSON.stringify(result, null, 2));
     if (result.status !== "PASS") {

package/dist/cli/install.js

@@ -6,6 +6,7 @@
 import { readFileSync, writeFileSync, mkdirSync, existsSync, copyFileSync } from "node:fs";
 import { dirname, join, resolve } from "node:path";
 import { homedir, platform } from "node:os";
+import * as https from "node:https";
 import { fileURLToPath } from "node:url";
 import { runOnboarding, installSecurityTools, commandExists, SECURITY_TOOLS } from "./onboarding.js";
 const __dirname = dirname(fileURLToPath(import.meta.url));
@@ -158,6 +159,71 @@ function installSkill(dryRun) {
     }
     process.stdout.write(`  ${dryRun ? "[dry-run] would copy" : "installed"} skill: ${skillDest}\n`);
 }
+/**
+ * Download a skill SKILL.md from a remote URL and save it to ~/.claude/skills/{skillName}/SKILL.md.
+ * Used for lazy on-demand skill installation — all sub-agents are downloaded this way at first use.
+ * Mirrors the same pattern used for security tool binary downloads in onboarding.ts.
+ */
+// CWE-22: only alphanumeric, hyphens, and dots allowed in skill names
+const SAFE_SKILL_NAME_RE = /^[a-zA-Z0-9][a-zA-Z0-9._-]{0,127}$/;
+export async function downloadSkill(skillName, url, dryRun = false) {
+    if (!SAFE_SKILL_NAME_RE.test(skillName)) {
+        process.stdout.write(`  [error] invalid skill name "${skillName}" — skipping download\n`);
+        return;
+    }
+    const skillDest = resolveHome(`~/.claude/skills/${skillName}/SKILL.md`);
+    if (dryRun) {
+        process.stdout.write(`  [dry-run] would download skill "${skillName}" from ${url} → ${skillDest}\n`);
+        return;
+    }
+    const MAX_SKILL_BYTES = 512 * 1024; // 512 KB — skills are markdown files
+    const content = await new Promise((resolve) => {
+        const req = https.get(url, { headers: { "User-Agent": "security-mcp" } }, (res) => {
+            if ((res.statusCode ?? 500) >= 400) {
+                res.resume();
+                resolve(null);
+                return;
+            }
+            let body = "";
+            res.setEncoding("utf8");
+            res.on("data", (chunk) => {
+                body += chunk;
+                if (Buffer.byteLength(body, "utf8") > MAX_SKILL_BYTES) {
+                    req.destroy();
+                    resolve(null);
+                }
+            });
+            res.on("end", () => resolve(body));
+        });
+        req.on("error", () => resolve(null));
+        req.setTimeout(10000, () => { req.destroy(); resolve(null); });
+    });
+    if (!content) {
+        process.stdout.write(`  [error] failed to download skill "${skillName}" from ${url}\n`);
+        return;
+    }
+    mkdirSync(dirname(skillDest), { recursive: true });
+    writeFileSync(skillDest, content, "utf-8");
+    process.stdout.write(`  installed skill: ${skillDest}\n`);
+}
+/**
+ * Eagerly install the orchestrator skill (bundled in the package) plus record
+ * its version so orchestration.ensure_skill can detect future updates.
+ */
+function installOrchestratorSkill(dryRun) {
+    const skillName = "ciso-orchestrator";
+    const skillSrc = join(PKG_ROOT, "skills", skillName, "SKILL.md");
+    const skillDest = resolveHome(`~/.claude/skills/${skillName}/SKILL.md`);
+    if (!existsSync(skillSrc)) {
+        process.stdout.write(`  [skip] skills/${skillName}/SKILL.md not found in package\n`);
+        return;
+    }
+    if (!dryRun) {
+        mkdirSync(dirname(skillDest), { recursive: true });
+        copyFileSync(skillSrc, skillDest);
+    }
+    process.stdout.write(`  ${dryRun ? "[dry-run] would copy" : "installed"} skill: ${skillDest}\n`);
+}
 export async function runInstall(opts) {
     const dryRun = opts.dryRun;
     // ── Interactive onboarding (skipped when --yes or non-TTY) ──────────────
@@ -195,11 +261,12 @@ export async function runInstall(opts) {
             process.stdout.write(`  [error] ${err instanceof Error ? err.message : String(err)}\n`);
         }
     }
-    // Install Claude Code skill if Claude Code is in scope
+    // Install Claude Code skills if Claude Code is in scope
     const hasClaudeCode = targets.some((t) => t.name.startsWith("Claude Code"));
     if (hasClaudeCode || opts.all) {
-        process.stdout.write("\nInstalling Claude Code skill...\n");
+        process.stdout.write("\nInstalling Claude Code skills...\n");
         installSkill(dryRun);
+        installOrchestratorSkill(dryRun);
     }
     process.stdout.write("\nInstalling security policy...\n");
     installPolicy(dryRun);

package/dist/cli/onboarding.js

@@ -12,11 +12,13 @@
  */
 import { createInterface } from "node:readline/promises";
 import { stdin as input, stdout as output } from "node:process";
-import { execSync, spawnSync } from "node:child_process";
-import { platform, arch, homedir } from "node:os";
-import { mkdirSync, createWriteStream, chmodSync, existsSync } from "node:fs";
+import { spawnSync } from "node:child_process";
+import { platform, arch, homedir, tmpdir } from "node:os";
+import { mkdirSync, createWriteStream, chmodSync, existsSync, writeFileSync, unlinkSync } from "node:fs";
 import { join } from "node:path";
 import { pipeline } from "node:stream/promises";
+import { createHash } from "node:crypto";
+import { readFile as readFileAsync } from "node:fs/promises";
 // ─── Constants ────────────────────────────────────────────────────────────────
 const PROJECT_TYPES = [
     {
@@ -204,13 +206,13 @@ function getCpuArch() {
 }
 export function commandExists(cmd) {
     try {
+        // Use spawnSync (not execSync) to avoid shell injection — cmd is never interpolated into a shell string
         if (process.platform === "win32") {
-            execSync(`where "${cmd}"`, { stdio: "pipe" });
+            return spawnSync("where", [cmd], { stdio: "pipe" }).status === 0;
         }
         else {
-            execSync(`command -v ${cmd}`, { stdio: "pipe" });
+            return spawnSync("which", [cmd], { stdio: "pipe" }).status === 0;
         }
-        return true;
     }
     catch {
         return false;
@@ -220,6 +222,39 @@ function run(cmd, args) {
     const result = spawnSync(cmd, args, { stdio: "inherit" });
     return result.status === 0;
 }
+// ─── Binary integrity helpers ─────────────────────────────────────────────────
+// CWE-494: verify downloaded binary against publisher SHA-256 checksum before install.
+async function fetchChecksumFile(assets) {
+    const checksumAsset = assets.find((a) => /checksums?\.txt$/i.test(a.name) || /\.sha256(sums?)?$/i.test(a.name));
+    if (!checksumAsset)
+        return null;
+    try {
+        const res = await fetch(checksumAsset.browser_download_url);
+        if (!res.ok)
+            return null;
+        return await res.text();
+    }
+    catch {
+        return null;
+    }
+}
+function parseExpectedHash(checksumContent, filename) {
+    for (const line of checksumContent.split("\n")) {
+        const parts = line.trim().split(/\s+/);
+        if (parts.length >= 2) {
+            const hash = parts[0];
+            const name = (parts.at(-1) ?? "").replace(/^\*/, "");
+            if (name === filename && /^[0-9a-f]{64}$/i.test(hash)) {
+                return hash.toLowerCase();
+            }
+        }
+    }
+    return null;
+}
+async function verifyIntegrity(filePath, expectedHash) {
+    const content = await readFileAsync(filePath);
+    return createHash("sha256").update(content).digest("hex") === expectedHash;
+}
 // ─── GitHub binary download ───────────────────────────────────────────────────
 async function fetchLatestRelease(repo) {
     try {
@@ -282,6 +317,29 @@ async function installFromGitHub(tool, os) {
         print(`     Download failed.`);
         return false;
     }
+    // CWE-494: verify SHA-256 integrity before executing anything
+    const checksumContent = await fetchChecksumFile(release.assets);
+    if (checksumContent) {
+        const expectedHash = parseExpectedHash(checksumContent, fileName);
+        if (expectedHash) {
+            const valid = await verifyIntegrity(tmpFile, expectedHash);
+            if (!valid) {
+                print(`     Integrity check FAILED for ${fileName} — aborting install.`);
+                try {
+                    unlinkSync(tmpFile);
+                }
+                catch { /* ignore cleanup failure */ }
+                return false;
+            }
+            print(`     Integrity verified (SHA-256 matched).`);
+        }
+        else {
+            print(`     Warning: checksum file found but no entry for ${fileName} — proceeding without verification.`);
+        }
+    }
+    else {
+        print(`     Warning: no checksum file in release assets — cannot verify binary integrity.`);
+    }
     const destDir = "/usr/local/bin";
     if (tool.tarball) {
         // Extract the binary from the archive
@@ -347,12 +405,24 @@ async function tryDnf(tool) {
     const mgr = commandExists("dnf") ? "dnf" : commandExists("yum") ? "yum" : null;
     if (!mgr)
         return false;
-    // Add Aqua Security rpm repo
-    const repoContent = "[trivy]\\nname=Trivy repository\\n" +
-        "baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/\\n" +
-        "gpgcheck=0\\nenabled=1";
+    // CWE-78: avoid bash -c shell construction — write repo file to a temp path
+    // then move it into place with sudo (no shell, no injection surface).
+    const repoLines = [
+        "[trivy]",
+        "name=Trivy repository",
+        "baseurl=https://aquasecurity.github.io/trivy-repo/rpm/releases/$releasever/$basearch/",
+        "gpgcheck=0",
+        "enabled=1"
+    ];
+    const tmpRepoFile = join(tmpdir(), `trivy-${Date.now()}.repo`);
     print(`     Adding Aqua Security yum/dnf repository...`);
-    run("bash", ["-c", `echo -e "${repoContent}" | sudo tee /etc/yum.repos.d/trivy.repo`]);
+    try {
+        writeFileSync(tmpRepoFile, repoLines.join("\n") + "\n", "utf-8");
+    }
+    catch {
+        return false;
+    }
+    run("sudo", ["mv", tmpRepoFile, "/etc/yum.repos.d/trivy.repo"]);
     print(`     sudo ${mgr} install -y trivy`);
     return run("sudo", [mgr, "install", "-y", "trivy"]);
 }
@@ -513,6 +583,7 @@ export async function runOnboarding() {
         print("");
         print("   This applies the right compliance controls automatically,");
         print("   such as PCI DSS for payment cards or HIPAA for health data.");
+        print("   You can select multiple options (e.g. 1 2 or 1,2).");
         print("");
         for (const d of SENSITIVE_DATA_OPTIONS) {
             print(`   ${d.key}.  ${d.label}`);

package/dist/cli/update.js

@@ -4,11 +4,13 @@ import { dirname, join } from "node:path";
 import * as https from "node:https";
 const CACHE_DIR = join(homedir(), ".security-mcp");
 const CACHE_PATH = join(CACHE_DIR, "update-check.json");
+const SKILL_VERSIONS_PATH = join(CACHE_DIR, "skill-versions.json");
 const CHECK_INTERVAL_MS = 24 * 60 * 60 * 1000;
 const PROMPT_INTERVAL_MS = 24 * 60 * 60 * 1000;
 const REGISTRY_URL = "https://registry.npmjs.org/security-mcp/latest";
+const SKILLS_MANIFEST_URL = "https://raw.githubusercontent.com/AbrahamOO/security-mcp/main/skills-manifest.json";
 function parseVersion(input) {
-    const match = input.trim().match(/^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?$/);
+    const match = /^v?(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?$/.exec(input.trim());
     if (!match)
         return null;
     return {
@@ -64,10 +66,15 @@ function fetchLatestVersion(timeoutMs = 1500) {
                 resolve(null);
                 return;
             }
+            const MAX_BYTES = 64 * 1024; // 64 KB — npm registry version response
             let body = "";
             res.setEncoding("utf8");
             res.on("data", (chunk) => {
                 body += chunk;
+                if (Buffer.byteLength(body, "utf8") > MAX_BYTES) {
+                    req.destroy();
+                    resolve(null);
+                }
             });
             res.on("end", () => {
                 try {
@@ -96,6 +103,71 @@ function shouldPrompt(cache, latestVersion, now) {
         return true;
     return now - lastPromptedAt >= PROMPT_INTERVAL_MS;
 }
+/** Check the skills manifest for skills that have newer versions than what is locally installed. */
+async function checkSkillUpdates() {
+    try {
+        const body = await new Promise((resolve) => {
+            const req = https.get(SKILLS_MANIFEST_URL, { headers: { "User-Agent": "security-mcp-update-checker" } }, (res) => {
+                if ((res.statusCode ?? 500) >= 400) {
+                    res.resume();
+                    resolve(null);
+                    return;
+                }
+                const MAX_MANIFEST_BYTES = 256 * 1024; // 256 KB
+                let buf = "";
+                res.setEncoding("utf8");
+                res.on("data", (c) => {
+                    buf += c;
+                    if (Buffer.byteLength(buf, "utf8") > MAX_MANIFEST_BYTES) {
+                        req.destroy();
+                        resolve(null);
+                    }
+                });
+                res.on("end", () => resolve(buf));
+            });
+            req.on("error", () => resolve(null));
+            req.setTimeout(3000, () => { req.destroy(); resolve(null); });
+        });
+        if (!body)
+            return [];
+        const manifest = JSON.parse(body);
+        let installed = {};
+        try {
+            installed = JSON.parse(readFileSync(SKILL_VERSIONS_PATH, "utf-8"));
+        }
+        catch { /* not installed yet */ }
+        const outdated = [];
+        for (const [name, entry] of Object.entries(manifest.skills)) {
+            const local = installed[name]?.version;
+            if (local && local !== entry.version) {
+                outdated.push(`${name}: ${local} → ${entry.version}`);
+            }
+        }
+        return outdated;
+    }
+    catch {
+        return [];
+    }
+}
+function printUpdateNotices(cache, currentVersion, now) {
+    const hasMcpUpdate = cache.latestVersion && compareVersions(currentVersion, cache.latestVersion) < 0;
+    const hasSkillUpdates = (cache.skillsWithUpdates?.length ?? 0) > 0;
+    if (!hasMcpUpdate && !hasSkillUpdates)
+        return;
+    if (cache.latestVersion && !shouldPrompt(cache, cache.latestVersion, now))
+        return;
+    if (hasMcpUpdate && cache.latestVersion) {
+        console.error(`\nUpdate available: security-mcp ${currentVersion} → ${cache.latestVersion}\n` +
+            "Run the CISO Orchestrator skill and choose option (A) to update automatically, or:\n" +
+            `  npm install -g security-mcp@${cache.latestVersion}\n` +
+            "  security-mcp install\n");
+    }
+    if (hasSkillUpdates && cache.skillsWithUpdates) {
+        console.error("\nSkill updates available:\n" +
+            cache.skillsWithUpdates.map((s) => `  • ${s}`).join("\n") +
+            "\nRun the CISO Orchestrator skill to apply skill updates automatically.\n");
+    }
+}
 export async function notifyIfUpdateAvailable(currentVersion) {
     const now = Date.now();
     const cache = readCache();
@@ -103,22 +175,18 @@ export async function notifyIfUpdateAvailable(currentVersion) {
     const shouldRefresh = Number.isNaN(lastCheckedAt) || now - lastCheckedAt >= CHECK_INTERVAL_MS;
     if (shouldRefresh) {
         const latestVersion = await fetchLatestVersion();
-        if (latestVersion) {
+        if (latestVersion)
             cache.latestVersion = latestVersion;
-        }
+        const skillUpdates = await checkSkillUpdates();
+        if (skillUpdates.length > 0)
+            cache.skillsWithUpdates = skillUpdates;
         cache.lastCheckedAt = new Date(now).toISOString();
         writeCache(cache);
     }
-    if (!cache.latestVersion)
-        return;
-    if (compareVersions(currentVersion, cache.latestVersion) >= 0)
-        return;
-    if (!shouldPrompt(cache, cache.latestVersion, now))
-        return;
-    process.stderr.write(`\nUpdate available: security-mcp ${currentVersion} -> ${cache.latestVersion}\n` +
-        "Update command: npm install -g security-mcp@latest\n" +
-        "Then refresh editor config: security-mcp install-global\n\n");
-    cache.lastPromptedVersion = cache.latestVersion;
-    cache.lastPromptedAt = new Date(now).toISOString();
-    writeCache(cache);
+    printUpdateNotices(cache, currentVersion, now);
+    if (cache.latestVersion) {
+        cache.lastPromptedVersion = cache.latestVersion;
+        cache.lastPromptedAt = new Date(now).toISOString();
+        writeCache(cache);
+    }
 }

package/dist/gate/checks/ai-redteam.js

@@ -294,16 +294,91 @@ async function runDynamicProbes(endpointUrl, probes) {
     }
     return results;
 }
+// CWE-918: resolve and validate an endpoint URL is not pointing to a private/metadata host.
+const PROBE_PRIVATE_RE = [/^127\./, /^10\./, /^172\.(1[6-9]|2\d|3[01])\./, /^192\.168\./, /^169\.254\./, /^::1$/, /^fc/, /^fd/];
+function isProbePrivateIp(ip) {
+    return PROBE_PRIVATE_RE.some((r) => r.test(ip));
+}
+async function resolveSafeEndpoint(rawUrl) {
+    try {
+        const parsed = new URL(rawUrl);
+        if (parsed.protocol !== "https:" && parsed.protocol !== "http:")
+            return null;
+        const { lookup } = await import("node:dns/promises");
+        const { isIP } = await import("node:net");
+        const host = parsed.hostname;
+        if (isIP(host))
+            return isProbePrivateIp(host) ? null : rawUrl;
+        if (host === "localhost" || host.endsWith(".internal"))
+            return null;
+        const resolved = await lookup(host, { all: true });
+        if (resolved.some(({ address }) => isProbePrivateIp(address)))
+            return null;
+        return rawUrl;
+    }
+    catch {
+        return null;
+    }
+}
+function probeFailureToFinding(probe) {
+    switch (probe.probe) {
+        case "jailbreak": return {
+            id: "AI_JAILBREAK_SUCCESS",
+            title: "Jailbreak probe succeeded — system prompt may have leaked",
+            severity: "CRITICAL",
+            evidence: ["Probe: jailbreak", probe.detail ?? ""],
+            requiredActions: [
+                "Implement system prompt protection: use instruction hierarchy, not string concatenation.",
+                "Add jailbreak detection and monitoring.",
+                "Do not rely on the system prompt for access control."
+            ]
+        };
+        case "injection": return {
+            id: "AI_INJECTION_SUCCESS",
+            title: "Prompt injection probe succeeded via simulated RAG context",
+            severity: "CRITICAL",
+            evidence: ["Probe: injection"],
+            requiredActions: [
+                "Apply content isolation between user instructions and retrieved context.",
+                "Treat all RAG-retrieved content as untrusted.",
+                "Validate model outputs before acting on them."
+            ]
+        };
+        case "pii_exfil": return {
+            id: "AI_PII_LEAK",
+            title: "PII exfiltration probe succeeded — model repeated sensitive data",
+            severity: "CRITICAL",
+            evidence: ["Probe: pii_exfil"],
+            requiredActions: [
+                "Implement output PII scanning before returning model responses.",
+                "Block responses containing SSN, card numbers, or credential patterns.",
+                "Add output filtering as a defense-in-depth layer."
+            ]
+        };
+        case "token_flood": return {
+            id: "AI_RATE_LIMIT_MISSING",
+            title: "Token flooding probe was not rate-limited — DoS risk",
+            severity: "HIGH",
+            evidence: ["Probe: token_flood"],
+            requiredActions: [
+                "Implement request size limits and token quotas on AI endpoints.",
+                "Return 413 or 429 for oversized requests.",
+                "Add per-user token budgets."
+            ]
+        };
+        default: return null;
+    }
+}
 /**
  * Run AI/LLM red-team checks: static analysis + optional dynamic probes.
  */
 export async function runAiRedteamChecks(opts) {
     const findings = [];
-    // Static analysis (always runs)
-    const staticFindings = await runStaticAnalysis(opts.changedFiles);
-    findings.push(...staticFindings);
-    // Dynamic probes (only if endpoint is configured)
-    const endpointUrl = opts.endpointUrl ?? process.env["SECURITY_AI_ENDPOINT"];
+    findings.push(...await runStaticAnalysis(opts.changedFiles));
+    const rawEndpointUrl = opts.endpointUrl ?? process.env["SECURITY_AI_ENDPOINT"];
+    if (!rawEndpointUrl)
+        return findings;
+    const endpointUrl = await resolveSafeEndpoint(rawEndpointUrl);
     if (!endpointUrl)
         return findings;
     const allProbes = ["jailbreak", "injection", "pii_exfil", "token_flood"];
@@ -314,60 +389,9 @@ export async function runAiRedteamChecks(opts) {
         for (const probe of result.value) {
             if (probe.passed)
                 continue;
-            switch (probe.probe) {
-                case "jailbreak":
-                    findings.push({
-                        id: "AI_JAILBREAK_SUCCESS",
-                        title: "Jailbreak probe succeeded — system prompt may have leaked",
-                        severity: "CRITICAL",
-                        evidence: ["Probe: jailbreak", probe.detail ?? ""],
-                        requiredActions: [
-                            "Implement system prompt protection: use instruction hierarchy, not string concatenation.",
-                            "Add jailbreak detection and monitoring.",
-                            "Do not rely on the system prompt for access control."
-                        ]
-                    });
-                    break;
-                case "injection":
-                    findings.push({
-                        id: "AI_INJECTION_SUCCESS",
-                        title: "Prompt injection probe succeeded via simulated RAG context",
-                        severity: "CRITICAL",
-                        evidence: ["Probe: injection"],
-                        requiredActions: [
-                            "Apply content isolation between user instructions and retrieved context.",
-                            "Treat all RAG-retrieved content as untrusted.",
-                            "Validate model outputs before acting on them."
-                        ]
-                    });
-                    break;
-                case "pii_exfil":
-                    findings.push({
-                        id: "AI_PII_LEAK",
-                        title: "PII exfiltration probe succeeded — model repeated sensitive data",
-                        severity: "CRITICAL",
-                        evidence: ["Probe: pii_exfil"],
-                        requiredActions: [
-                            "Implement output PII scanning before returning model responses.",
-                            "Block responses containing SSN, card numbers, or credential patterns.",
-                            "Add output filtering as a defense-in-depth layer."
-                        ]
-                    });
-                    break;
-                case "token_flood":
-                    findings.push({
-                        id: "AI_RATE_LIMIT_MISSING",
-                        title: "Token flooding probe was not rate-limited — DoS risk",
-                        severity: "HIGH",
-                        evidence: ["Probe: token_flood"],
-                        requiredActions: [
-                            "Implement request size limits and token quotas on AI endpoints.",
-                            "Return 413 or 429 for oversized requests.",
-                            "Add per-user token budgets."
-                        ]
-                    });
-                    break;
-            }
+            const finding = probeFailureToFinding(probe);
+            if (finding)
+                findings.push(finding);
         }
     }
     return findings;